The real complexity begins when you design a scalable VPN architecture for hundreds or thousands of customer sites.

At small scale, almost any design works.

At large scale, every design decision affects:

For example:

• Internet Access Design

Should Internet access be centralized through a shared hub/firewall VRF?

Or should every site use local Internet breakout?

Centralized Internet provides better security control and policy consistency.
Local breakout reduces WAN utilization and latency.

There is no universally correct answer.
The design depends on operational and business requirements.

• Route Target and Route Distinguisher Strategy

Many engineers configure RT/RD values without planning.

But poor RT/RD design becomes operationally painful as the network grows.

A scalable RT design should make route leaking, shared services, and troubleshooting predictable.

Good architects design RT structures before deployment — not after scaling problems appear.

• Shared Services VRF

In many enterprise environments, customers or branches need access to:

Instead of leaking routes everywhere, a dedicated Shared Services VRF can simplify policy control and segmentation.

But excessive route leaking can also increase operational complexity.

• PE Placement Strategy

Not every PE router should host every VRF.

As the number of VPNv4 routes increases, memory and control-plane scalability become important design concerns.

Distributing customers intelligently across PE routers becomes part of the architecture itself.

• Convergence and Stability

Fast convergence is not only about the IGP.

BGP scaling, label distribution, RR placement, next-hop handling, and PE redundancy all influence overall stability.

Sometimes the simplest topology provides the best operational outcome.

L3VPN design is really about balancing:

The protocols are only tools.

Posted in MPLS

NetworkPuzzles

L3VPN is not just about labels, MP-BGP, or VRFs